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Firstly, I wish to commend the European Data Protection Board (EDPB) for drafting 
Guidelines on the targeting of social media users. In doing so, it provides more clarity 
to the problematic legal position of many operators that are active in the online 
advertisement industry. ! 


With this letter, I would like to point the EDPB’s attention to one point in particular that 
needs further clarification in the updated Guidelines. Chapter 6 (pages 24-27) of the 
draft Guidelines sheds light on how transparency should be given shape in the context 
of targeting social media users. Within that chapter, there is a section specifically 
dedicated to the right of access (Art.15 GDPR). 


The right of access has been a vital component of data protection laws from the very 
beginning.’ It is part of the fundamental right to data protection in Art.8 Charter, and 
occupies a pivotal role in achieving the GDPR’s aim of effective and complete 
protection of the fundamental rights and freedoms of natural persons with respect to the 
processing of personal data.* As I have explained with colleagues in a previous 
submission to the EDPB, the right of access operates as a sine qua non for exercising 
many other data subject rights (Chapter III GDPR);* a tool for private individuals 
to monitor controllers’ compliance with the general principles governing the 


' Recent efforts qualifying the systemic and legal issues underlying much of these practices: Harriet Kingaby and 


Frederike Kaltheuner, ‘Ad Break for Europe. The Race to Regulate Digital Advertising and Fix Online Spaces’ (2020) 


<https://assets.mofoprod.net/network/documents/Ad_Break_for_Europe_FINAL_online.pdf>; Panoptykon Foundation, 
‘Who (Really) Targets You?’ (2020) <https://panoptykon.org/political-ads-report> accessed 20 April 2020. 





2 Jef Ausloos and Pierre Dewitte, ‘Shattering One-Way Mirrors — Data Subject Access Rights in Practice’ (2018) 8 
International Data Privacy Law 4. 

3 René Mahieu and Jef Ausloos, ‘Harnessing the Collective Potential of GDPR Access Rights: Towards an Ecology of 
Transparency’ [2020] Internet Policy Review <https://policyreview.info/articles/news/hamessing-collective-potential- 
gdpr-access-rights-towards-ecology-transparency/1487> accessed 6 July 2020. 

4 Also confirmed by the CJEU in Rijkeboer (n 4) [51]; Nowak (n 4) [57]. 
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processing of personal data, notably Articles 5-6 of the GDPR (cf. recital 63 GDPR); 
and a due process guarantee.” 


Empirical research and many accounts by experts in the field have repeatedly 
demonstrated online platforms, and social media operators in particular, not to fully 
respect the right of access.° Twitter, for instance denies giving access to t.com data, 
i.e. the logs of all hyperlinks users click when using the Twitter service, because it 
would allegedly require a disproportionate effort.’ Similar issues exist with regard to 
Facebook and Apple.* Even more, and easily verifiable by simply filing an access 
request right now, most responses to such requests filed with large social media 
operators, do not include (all) inferred and derived data about the data subject. 
The ‘disproportionate effort’ defence is absurd in light of the very business model 
underlying these operators, the scale at which they operate and their available resources. 
As written before, 


‘An argument that a ‘manifestly unfounded or excessive’ request might be 
construed as one which relates to any sufficiently large or complex processing 
operation sets a dangerous precedent that some data processing activities are ‘too 
big to regulate’. This logic would mean to say that some processing activities are at 
such a global scale, and so complex, and producing and capturing so much data 
about individuals, that they escape the reach of fundamental rights such as the right 
to access. This seems perverse: the more impactful and the more sizeable the 
activity, surely the higher the acceptable cost of compliance on the data 
controller, and the more urgent and pressing the need to provide data subjects 
with oversight and control rights.” 


This is very problematic in light of the vital role the right of access has (cf. above), 
particularly in the ubiquitous and high-impact sector of social media. It is therefore 
important that the EDPB emphasises in its Guidelines, the need for social media 
operators to provide any and all personal data (including inferred and derived 
personal data) to data subjects upon request. It should be made clear that social 
media operators can in principle not refuse to provide access to individual access 
requests because they would be manifestly unfounded or excessive. 


5 Jef Ausloos, Réne Mahieu and Michael Veale, ‘Getting Data Subject Rights Right A Submission to the European Data 
Protection Board from International Data Rights Academics, to Inform Regulatory Guidance’ (2020) 10 JIPITEC 
<http://www.jipitec.eu/issues/jipitec-10-3-2019/5031>. 

é Jef Ausloos and Pierre Dewitte, ‘Shattering One-Way Mirrors — Data Subject Access Rights in Practice’ (2018) 8 
International Data Privacy Law 4; Michael Veale, Reuben Binns and Jef Ausloos, ‘When Data Protection by Design and 
Data Subject Rights Clash’ (2018) 8 International Data Privacy Law 105; René LP Mahieu, Hadi Asghari and Michel 
van Eeten, ‘Collectively Exercising the Right of Access: Individual Effort, Societal Effect’ (2018) 7 Internet Policy 
Review <https://policyreview.info/articles/analysis/collectively-exercising-right-access-individual-effort-societal- 
effect> accessed 16 July 2018; Paul-Olivier Dehaye, ‘Written Evidence to House of Commons DMCS Committee’ 
(March 2018) <http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/digital-culture- 
media-and-sport-committee/fake-news/written/80117.html#_ftn3> accessed 29 March 2018. 

7 Response to access request from the author. A complaint filed with the Belgian Gegevensbeschermingsautoriteit was 
forwarded to the Irish DPC and is presumably still pending, as no update was given since 2018. 

8 Jef Ausloos, ‘Paul-Olivier Dehaye and the Raiders of the Lost Data’ (CITIP blog, 10 April 2018) 
<https://www.law.kuleuven.be/citip/blog/paul-olivier-dehaye-and-the-raiders-of-the-lost-data/> accessed 23 April 2018. 
° Jef Ausloos, Réne Mahieu and Michael Veale, ‘Getting Data Subject Rights Right A Submission to the European Data 
Protection Board from International Data Rights Academics, to Inform Regulatory Guidance’ (2020) 10 JIPITEC 
<http://www.jipitec.eu/issues/jipitec-10-3-2019/5031>. 
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When it comes to the additional information that needs to be provided in responses to an 
access request (Art.15(1) GDPR), the vast majority of controllers — and social media 
operators in particular — will simply provide data subjects with a copy of relevant 
sections from the privacy/data policy. Again, this is easily verifiable by submitting an 
access request with any social media operator. In still on-going empirical research I am 
currently conducting (to be published next year), the overwhelming majority of 
controllers only refers or copy pastes (parts of) their privacy/data policy when 
asked for information under Art.15(1). This is problematic because controllers seem 
to systematically confuse their obligations under Artt.13-14 with those in Article 15. 


The transparency requirements in Artt.13-14 are ex ante transparency measures, 
requiring controllers to proactively inform data subjects about how their personal data 
will be processed. This is generally given shape through privacy/data policies that are 
aimed at all data subjects. As such, it will often only contain generic information, many 
different purposes and lawful grounds, vague retention periods, etc. While not wishing 
to go into the many things that are wrong with most social media operators’ privacy 
policies, I do wish to call attention to their obligations under Article 15(1). Indeed, if the 
right of access under Art.15(1) is to have practical meaning whatsoever (and any added 
value complementing Artt.13-14), the content of the response should be tailored to 
the data subject in particular. ‘The added value of Article 15 is that it provides the 
possibility for individual data subjects to learn more about their particular situation 
upon request. This also follows from the Court’s case law in Nowak!° and 
Rijkeboer"'.’!? Tt is worth reiterating the following anecdote from an earlier submission 
to the EDPB: 


The issue is illustrated by the way in which Facebook responds to access requests: 


Even when specifically asked not to simply recite their privacy policy, Facebook 
still does. When explicitly requested to provide ‘a complete and detailed overview 
of all the different ways personal data have been and will be processed (not your 
general privacy policy, but a list of which of my data were used for which concrete 
purpose) as well as the exact lawful ground (art.6 (1) GDPR) for each processing 
purpose’, Facebook responds: 


We understand that Mr XYZ would like a complete and detailed overview of all 
the different ways in which his personal data have been processed and will be 
processed, including the legal basis relied on by Facebook. Whilst Mr XYZ 
indicates he does not seek our “general privacy policy”, we'd like to clarify that 
the information requested by him is detailed in this document and our legal bases 
fly out. 


Facebook’s response is problematic because: 


10 Nowak (n 4) [56]. 

11 Rijkeboer (n 4) [69]. 

12 Jef Ausloos, Réne Mahieu and Michael Veale, ‘Getting Data Subject Rights Right A Submission to the European Data 
Protection Board from International Data Rights Academics, to Inform Regulatory Guidance’ (2020) 10 JIPITEC 
<http://www.jipitec.eu/issues/jipitec-10-3-2019/5031>. 
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(a) it refers to its privacy policy, which manifestly does not link exactly what 
personal data is used for exactly what purpose and under what lawful ground each 
individual purpose falls. 


(b) it fails to provide a tailored answer to the data subject in particular, who wishes 
to know what exact information was collected for what purposes and under what 
lawful ground, for his particular situation.'° 


With this in mind, the present Guidelines offer a great opportunity to emphasise how 
the right of access in Article 15 requires controllers to tailor the information to the 
specific situation of the data subject making the request, meaning that each data 
subject can ask, for example: (a) what exact purposes their specific personal data has 
been processed for; (c) the exact (categories of) recipients their personal data has been 
disclosed to; and (g) what source their specific personal data were obtained from. '* 


Specifically, the EDPB can do this in paragraph 93 of the draft Guidelines, which 
currently reads that ‘Jn general, to fulfill the requirements of Article 15 (1) GDPR and 
to ensure full transparency, controllers may want to consider implementing a 
mechanism for data subjects to check their profile, including details of the information 
and sources used to develop it. The data subject is entitled to learn of the identity of the 
targeter, and controllers must facilitate access to information regarding the targeting, 
including the targeting criteria that were used, as well as the other information 
required by Article 15 GDPR.’ 


The final version of this paragraph can be edited into (additions in bold): ‘In general, to 
fulfill the requirements of Article 15 (1) GDPR and to ensure full transparency, 
controllers may want to consider implementing a mechanism for data subjects to check 
their profile, including details of the information and sources used to develop it, the 
specific lawful ground relied upon for each processing purpose, as well as the 
(categories of) recipients, retention periods (or criteria) of all their personal data in 
granular fashion. The data subject is entitled to learn of the identity of the targeter, and 
controllers must facilitate access to information regarding the targeting, including the 
targeting criteria that were used, as well as the other information required by Article 15 
GDPR. It is important that such information should be tailored to the particular 
situation of the data subject, complementing any information already given under 
Articles 13-14.’ 


13 Jef Ausloos, Réne Mahieu and Michael Veale, ‘Getting Data Subject Rights Right A Submission to the European Data 
Protection Board from International Data Rights Academics, to Inform Regulatory Guidance’ (2020) 10 JIPITEC 
<http://www.jipitec.eu/issues/jipitec-10-3-2019/5031>. 
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<http://www .jipitec.eu/issues/jipitec-10-3-2019/5031>. 
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